feat/feat: oci image cache: configure ttl, use volume for caching, di…

src/pull-through-cache-registry/NOTES.md

@@ -4,12 +4,23 @@ As this feature relies on the [Docker-in-Docker
 feature](https://github.com/devcontainers/features/tree/main/src/docker-in-docker)
 we only support the same Debian/Ubuntu platforms.
 
+## Cache Volume
+
+This feature uses a named volume `ptcr-var-lib-registry-${devcontainerId}` for
+caching pulled images, where `${devcontainerId}` is a unique identifier specific
+to the development container where this feature is installed into, stable across
+rebuilds.
+
 ## Registry Configuration
 
+The Distribution Registry service configuration is done by passing environment
+variables to the service, as follows:
+
 - pull-through caching is enabled by passing `REGISTRY_PROXY_REMOTEURL` (a.k.a.
   `proxy:{remoteulr:}`).
 - logging is set to info level by passing `REGISTRY_LOG_LEVEL` (a.k.a.
   `log:{level:}`).
+- the default `debug:` configuration is completely disabled.
 
 ## Acknowledgement
 

src/pull-through-cache-registry/README.md

@@ -15,23 +15,35 @@ Deploys a devcontainer-local CNCF Distribution Registry configured as a pull-thr
 
 | Options Id | Description | Type | Default Value |
 |-----|-----|-----|-----|
-| proxy-remote-url | URL of the upstream OCI registry | string | https://registry-1.docker.io |
-| port | port to bind the CNCF Distribution Registry service to | string | 5000 |
-| registry-name | the Docker container name to give the CNCF Distribution Registry | string | registry-cache |
-| wait | maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service | string | 30 |
+| proxy-remote-url | URL of the upstream OCI registry. | string | https://registry-1.docker.io |
+| port | port to bind the CNCF Distribution Registry service to. | string | 5000 |
+| ttl | expire proxy cache storage after this duration, 168h corresponds with 7 days by default, set to 0 to disable any expiration. Valid duration suffixes are s, m, h, without suffix nanoseconds are assumed. | string | 168h |
+| registry-name | the Docker container name to give the CNCF Distribution Registry. | string | registry-cache |
+| wait | maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service. | string | 30 |
 
 ## OS Support
 
 As this feature relies on the [Docker-in-Docker
 feature](https://github.com/devcontainers/features/tree/main/src/docker-in-docker)
 we only support the same Debian/Ubuntu platforms.
 
+## Cache Volume
+
+This feature uses a named volume `ptcr-var-lib-registry-${devcontainerId}` for
+caching pulled images, where `${devcontainerId}` is a unique identifier specific
+to the development container where this feature is installed into, stable across
+rebuilds.
+
 ## Registry Configuration
 
+The Distribution Registry service configuration is done by passing environment
+variables to the service, as follows:
+
 - pull-through caching is enabled by passing `REGISTRY_PROXY_REMOTEURL` (a.k.a.
   `proxy:{remoteulr:}`).
 - logging is set to info level by passing `REGISTRY_LOG_LEVEL` (a.k.a.
   `log:{level:}`).
+- the default `debug:` configuration is completely disabled.
 
 ## Acknowledgement
 

src/pull-through-cache-registry/devcontainer-feature.json

@@ -1,32 +1,45 @@
 {
     "name": "OCI registry pull-through cache to mirror rate-limited upstream registries, such as Docker Hub",
     "id": "pull-through-cache-registry",
-    "version": "0.0.1",
+    "version": "0.0.2",
     "description": "Deploys a devcontainer-local CNCF Distribution Registry configured as a pull-through cache for the local docker-in-docker",
     "documentationURL": "https://github.com/thediveo/devcontainer-features/blob/master/src/registry-pull-through-cache/README.md",
     "options": {
         "proxy-remote-url": {
             "type": "string",
             "default": "https://registry-1.docker.io",
-            "description": "URL of the upstream OCI registry"
+            "description": "URL of the upstream OCI registry."
         },
         "port": {
             "type": "string",
             "default": "5000",
-            "description": "port to bind the CNCF Distribution Registry service to",
+            "description": "port to bind the CNCF Distribution Registry service to.",
             "proposals": ["5000", "9999"]
         },
+        "ttl": {
+            "type": "string",
+            "default": "168h",
+            "description": "expire proxy cache storage after this duration, 168h corresponds with 7 days by default, set to 0 to disable any expiration. Valid duration suffixes are s, m, h, without suffix nanoseconds are assumed.",
+            "proposals": ["24h", "168h"]
+        },
         "registry-name": {
             "type": "string",
             "default": "registry-cache",
-            "description": "the Docker container name to give the CNCF Distribution Registry"
+            "description": "the Docker container name to give the CNCF Distribution Registry."
         },
         "wait": {
             "type": "string",
             "default": "30",
-            "description": "maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service"
+            "description": "maximum wait time in seconds for Docker to become available when starting the CNCF Distribution Registry service."
         }
     },
+    "mounts": [
+        {
+            "source": "ptcr-var-lib-registry-${devcontainerId}",
+            "target": "/var/lib/registry",
+            "type": "volume"
+        }
+    ],
     "postCreateCommand": "/usr/local/bin/registry-pull-through-cache",
     "dependsOn": {
         "ghcr.io/devcontainers/features/docker-in-docker:2": {}

src/pull-through-cache-registry/install.sh

@@ -3,9 +3,11 @@
 set -e
 
 REGISTRYDEPLOYSCRIPT_PATH="/usr/local/bin/registry-pull-through-cache"
+DOCKERDCONFIG_PATH="/etc/docker/daemon.json"
 
 PROXY_REMOTE_URL=${PROXY_REMOTE_URL:-"https://registry-1.docker.io"}
 PORT=${PORT:-5000}
+TTL=${TTL:-168h}
 REGISTRY_NAME=${REGISTRY_NAME:-"registry-cache"}
 WAIT=${WAIT:-30}
 
@@ -14,6 +16,7 @@ echo "installing feature registry-pull-through-cache"
 cat <<EOF >"${REGISTRYDEPLOYSCRIPT_PATH}"
 PROXY_REMOTE_URL=${PROXY_REMOTE_URL}
 PORT="${PORT}"
+TTL="${TTL}"
 REGISTRY_NAME="${REGISTRY_NAME}"
 
 timeout=${WAIT}
@@ -37,18 +40,20 @@ else
         --name "\${REGISTRY_NAME}" \
         -p \${PORT}:5000 \
         -e REGISTRY_PROXY_REMOTEURL="\${PROXY_REMOTE_URL}" \
+        -e REGISTRY_PROXY_TTL="\${TTL}" \
+        -e REGISTRY_HTTP_DEBUG= \
         -e REGISTRY_LOG_LEVEL=info \
         -e OTEL_TRACES_EXPORTER=none \
         registry:3
 fi
 echo "pull-through cache registry started"
 EOF
 
-echo generating /etc/docker/daemon.json configuring registry-mirrors
-cat <<EOF >/etc/docker/daemon.json
-{
-  "registry-mirrors": [ "http://localhost:${PORT}" ]
-}
-EOF
+echo generating ${DOCKERDCONFIG_PATH} configuring registry-mirrors
+if [ ! -f "${DOCKERDCONFIG_PATH}" ]; then
+    echo '{}' > "${DOCKERDCONFIG_PATH}"
+fi
+jq --arg port "${PORT}" '.["registry-mirrors"] = [ "http://localhost:" + $port ]' "${DOCKERDCONFIG_PATH}" > "${DOCKERDCONFIG_PATH}.new"
+mv "${DOCKERDCONFIG_PATH}.new" "${DOCKERDCONFIG_PATH}"
 
 chmod 0755 "${REGISTRYDEPLOYSCRIPT_PATH}"

test/pull-through-cache-registry/test.sh

@@ -3,7 +3,13 @@ set -e
 
 source dev-container-features-test-lib
 
+cat /etc/docker/daemon.json
+check "Docker demon configuration is updated" bash -c "jq -e '.[\"registry-mirrors\"] | index(\"http://localhost:5000\")' /etc/docker/daemon.json"
+
 check "registry service is up" bash -c "source ./wait.sh && whalewaiting registry-cache"
 check "registry service responds" bash -c "source ./wait.sh && registrywaiting http://localhost:5000"
 
+registry_ip="$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' registry-cache)"
+check "default registry debug port 5001 is disabled on ${registry_ip}" bash -c "! curl -m 2 http://${registry_ip}:5001/"
+
 reportResults